20

I often log into my Ubuntu 12.04.2 server (with Postgres 9.2.4 running with live production data) and see something akin to:

4 packages can be updated.
4 updates are security updates.

This happens about every few days, of course. I'm not interested in automatic updates (the fewer things I can have changing when I'm asleep, the better), but I am interested in always keeping my server up to date, so my question is: When I see output such as that, is it always considered safe to run apt-get upgrade, or are there times when it can break things. I understand that patches are not always perfect (hence the quoted "always" in the title), but as a general rule, is it assumed safe to run this (esp given this is a database server vs something that just serves CSS files via Nginx)?

orokusaki
  • 2,693
  • 4
  • 28
  • 42

5 Answers5

10

Generally, yes this is safe. For critical packages, though (Postgres, Nginx, etc.), I'd recommend pinning those packages to a specific version so that they do not get updated. When Postgres gets updated, for instance, it will restart the database server, which is something you want to be able to schedule around planned downtime.

That said, it's always best to test upgrades on a staging server before promoting them to production, so that's something to think about adding to your deployment process.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 1
    and reboot if there's a kernel upgrade. Nothing worse than finding your server no longer boots without intervention in an emergency. – Sirex Jun 06 '13 at 19:00
  • 1
    "I'd recommend pinning those packages to a specific version so that they do not get updated": How? – vcardillo Oct 03 '16 at 17:37
  • 1
    @vcardillo Do a google search for "apt pinning". – EEAA Oct 03 '16 at 17:43
6

Yes and no. Most applications are OK, but some applications may not be too happy to be upgraded.

I have seen examples where applications using java from 1.6.29 to 1.6.30 breaks the application. Also seen mysql breaking between 5.0.X 5.0.X+1 (Dont remember the exact numbers here).

System applications should be mostly OK, but you should read carefully the release notes of the applications that your server is actually providing.

Read what nginx changes, try to understand if there are any changes that may affect your particular setup. The more advanced you use an application, the more easy it is to break.

espenfjo
  • 1,676
  • 2
  • 13
  • 15
5

Aptitude has easier to remember commands: aptitude safe-upgrade vs. aptitude full-upgrade. It is still a good idea to install apt-listchanges so that you will be given information about the changes in the updated packages and the option to cancel the upgrade.

ptman
  • 27,124
  • 2
  • 26
  • 45
0

Yes, I try to upgrade in Ubuntu 18.04 with command

sudo apt update
sudo apt upgrade

and it's fine with apache server and php mysql upgraded in my server.

Faisal
  • 1
  • 1
0

No. If this is a production instance that you manage, as a part of your job, packages should be explicitly pinned, codified and encapsulated within your orchestration solution (ie, ansible, chef, container images, blah blah). If you allow your package manager to upgrade packages, in an ecosystem where packages are tightly coupled, you will eventually fubar your service availability.

Everyone else that is suggesting otherwise, does not know what they are talking about and for some reason are confident despite a pretty glaring lack of professional concern for service availability. Your job is not to update packages - your job is to manage service availability, orchestration and instrumentation.

christianlc
  • 121
  • 3